LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 05-22-2010, 08:33 AM   #1
johndubchak
LQ Newbie
 
Registered: May 2010
Posts: 7

Rep: Reputation: 0
Internal Network Server unable to access public Internet


Hi,

I have set up a network where a single CentOS server acts as a firewall/gateway to a number of internal servers. The firewall is able to access and ping the internet, however, none of the internal servers can.

I am trying to isolate the issue by focusing on a single server. The relevant details are:

FIREWALL Computer:

Code:
# ifconfig

eth0      Link encap:Ethernet  HWaddr 00:25:90:00:BD:32  
          inet addr:XX.XX.XX.54  Bcast:XX.XX.XX.55  Mask:255.255.255.252
          inet6 addr: fe80::225:90ff:fe00:bd32/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:584 errors:0 dropped:0 overruns:0 frame:0
          TX packets:579 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:10 
          RX bytes:43510 (42.4 KiB)  TX bytes:48712 (47.5 KiB)
          Memory:fb5e0000-fb600000 

eth1      Link encap:Ethernet  HWaddr 00:25:90:00:BD:33  
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::225:90ff:fe00:bd33/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:236 errors:0 dropped:0 overruns:0 frame:0
          TX packets:247 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:22423 (21.8 KiB)  TX bytes:30056 (29.3 KiB)
          Memory:fb6e0000-fb700000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:560 (560.0 b)  TX bytes:560 (560.0 b)

# route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
XX.XX.XX.52    0.0.0.0         255.255.255.252 U     0      0        0 eth0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth1
0.0.0.0         XX.XX.XX.53    0.0.0.0         UG    0      0        0 eth0

# cat /etc/resolv.conf

search example.com
nameserver 205.171.3.65
nameserver 205.171.2.65

# iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
RH-Firewall-1-INPUT  all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
RH-Firewall-1-INPUT  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            icmp any 
ACCEPT     esp  --  anywhere             anywhere            
ACCEPT     ah   --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:6772 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
What is odd about the default route is that it is pointing to XX.XX.XX.53 rather than eth0 XX.XX.XX.54 as I would expect. I changed it to the .54 value, but seems to have been reset upon reboot. Also, I have configured static IP addresses for the internal, private, network.

INTERNAL Server:

Code:
# ifconfig

eth0      Link encap:Ethernet  HWaddr 00:25:90:00:BF:A2  
          inet addr:192.168.0.10  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:30506 errors:0 dropped:0 overruns:0 frame:0
          TX packets:34194 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3386549 (3.2 MiB)  TX bytes:2890470 (2.7 MiB)
          Memory:fb5e0000-fb600000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:560 (560.0 b)  TX bytes:560 (560.0 b)

# cat /etc/resolv.conf

search example.com
nameserver 205.171.3.65
nameserver 205.171.2.65

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination  

# ping google.com
ping: unknown host google.com
I have disabled SELinux on this server.

This is driving me crazy and I've spent far too much time using Google trying to track the issue down. Any insight is appreciated.

Thanks,
John
 
Old 05-22-2010, 10:50 AM   #2
Blue_Ice
Member
 
Registered: Jul 2006
Location: Belgium
Distribution: Debian, Fedora, CentOS, Windows
Posts: 352

Rep: Reputation: Disabled
xxx.xxx.xxx.53 is probably your isp's gateway. Can you also run 'route -n' on your internal server?
 
Old 05-22-2010, 10:52 AM   #3
Cotun
Member
 
Registered: Jan 2009
Location: UK
Distribution: Debian Stable and Unstable
Posts: 61

Rep: Reputation: 21
I'm pretty sure you've already done this and forgive me if this is totally obvious but have you checked that the gateway value on the internal machines is correctly set? As far as I can see, you didn't provide that information in your post.
 
Old 05-22-2010, 11:21 AM   #4
johndubchak
LQ Newbie
 
Registered: May 2010
Posts: 7

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Blue_Ice View Post
xxx.xxx.xxx.53 is probably your isp's gateway. Can you also run 'route -n' on your internal server?
Hi Blue Ice,

Thanks for the response. Here is the route -n on the internal machine:

Code:
# route -n 

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth0
0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 eth0
Thanks,
John
 
Old 05-22-2010, 11:24 AM   #5
johndubchak
LQ Newbie
 
Registered: May 2010
Posts: 7

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Cotun View Post
...have you checked that the gateway value on the internal machines is correctly set?
Hi Cotun,

Do you mean the network settings on the internal server? If so, here is the configuration from eth0:

Code:
# cat /etc/sysconfig/network-scripts/ifcfg-eth0
# Intel Corporation 82574L Gigabit Network Connection
DEVICE=eth0
BOOTPROTO=static
IPADDR=192.168.0.10
NETMASK=255.255.255.0
NETWORK=192.168.0.0
GATEWAY=192.168.0.1
HWADDR=00:25:90:00:bf:a2
ONBOOT=yes
As far as I can tell, with both the previous "route -n" post and this one, I *think* I have everything correct.

John
 
Old 05-22-2010, 11:51 AM   #6
Blue_Ice
Member
 
Registered: Jul 2006
Location: Belgium
Distribution: Debian, Fedora, CentOS, Windows
Posts: 352

Rep: Reputation: Disabled
Can you post the contents of the file /etc/sysconfig/iptables.save after running 'service iptables save'. I suspect there is something wrong with your forwarding in iptables. The routing table on your internal server looks okay.
 
Old 05-22-2010, 02:52 PM   #7
johndubchak
LQ Newbie
 
Registered: May 2010
Posts: 7

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Blue_Ice View Post
Can you post the contents of the file /etc/sysconfig/iptables.save after running 'service iptables save'.
Internal Server:

Code:
# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Sat May 22 06:48:12 2010
*filter
:INPUT ACCEPT [520:48649]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [501:42512]
COMMIT
# Completed on Sat May 22 06:48:12 2010
External Facing Server:

Code:
cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Sat May 22 06:50:57 2010
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [19645:1914032]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT 
-A FORWARD -j RH-Firewall-1-INPUT 
-A RH-Firewall-1-INPUT -i lo -j ACCEPT 
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT 
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT 
-A RH-Firewall-1-INPUT -p esp -j ACCEPT 
-A RH-Firewall-1-INPUT -p ah -j ACCEPT 
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT 
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT 
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 6772 -j ACCEPT 
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited 
COMMIT
# Completed on Sat May 22 06:50:57 2010
 
Old 05-22-2010, 03:48 PM   #8
Blue_Ice
Member
 
Registered: Jul 2006
Location: Belgium
Distribution: Debian, Fedora, CentOS, Windows
Posts: 352

Rep: Reputation: Disabled
There is no NAT present.
In my iptables config I have something like this at the bottom:
Code:
...
*nat
:PREROUTING ACCEPT [8305:780307]
:POSTROUTING ACCEPT [15:1036]
:OUTPUT ACCEPT [458:29442]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
 
Old 05-22-2010, 05:32 PM   #9
michaelk
Moderator
 
Registered: Aug 2002
Posts: 12,061

Rep: Reputation: 760Reputation: 760Reputation: 760Reputation: 760Reputation: 760Reputation: 760Reputation: 760
If you can ping 74.125.45.103 (google.com) successfully then it is just of matter of updating your servers /etc/resolv.conf file with your ISP DNS IPs. You also need to configure ip forwarding and add the iptables rules for NAT as already posted.

Last edited by michaelk; 05-22-2010 at 05:34 PM.
 
Old 05-22-2010, 06:46 PM   #10
johndubchak
LQ Newbie
 
Registered: May 2010
Posts: 7

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by michaelk View Post
If you can ping 74.125.45.103 (google.com) successfully then it is just of matter of updating your servers /etc/resolv.conf file with your ISP DNS IPs.
Agreed. Although, unfortunately, I've tried that. Here are my attempts from the internal server:

Code:
# ping 74.125.45.103
PING 74.125.45.103 (74.125.45.103) 56(84) bytes of data.

--- 74.125.45.103 ping statistics ---
62 packets transmitted, 0 received, 100% packet loss, time 61000ms

# ping google.com
ping: unknown host google.com
Thanks for the response.

John
 
Old 05-22-2010, 07:02 PM   #11
michaelk
Moderator
 
Registered: Aug 2002
Posts: 12,061

Rep: Reputation: 760Reputation: 760Reputation: 760Reputation: 760Reputation: 760Reputation: 760Reputation: 760
Did you enable IP forwarding?
To enable IP forwarding edit your /etc/sysctl.conf and change the following line from a 0 to a 1. This will not become effective until you reboot.
net.ipv4.ip_forward = 0

To enable it on the fly
echo 1 > /proc/sys/net/ipv4/ip_forward
 
Old 05-22-2010, 07:09 PM   #12
johndubchak
LQ Newbie
 
Registered: May 2010
Posts: 7

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Blue_Ice View Post
There is no NAT present.
In my iptables config I have something like this at the bottom:
Code:
...
*nat
:PREROUTING ACCEPT [8305:780307]
:POSTROUTING ACCEPT [15:1036]
:OUTPUT ACCEPT [458:29442]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
Hi BlueIce,

I have this as part of my iptables config:

Code:
# masquerade from internal network
/sbin/iptables -t nat -A POSTROUTING -s ${lannet} -o ${IFext} -j MASQUERADE
I'm not sure why it doesn't show up in the listings I provided earlier. I didn't have it on the internal server, but didn't think I needed to since the routing rules should take care of forwarding any public internet traffic out through the Gateway.

Thanks,
John
 
Old 05-23-2010, 11:05 AM   #13
Cotun
Member
 
Registered: Jan 2009
Location: UK
Distribution: Debian Stable and Unstable
Posts: 61

Rep: Reputation: 21
Quote:
Do you mean the network settings on the internal server? If so, here is the configuration from eth0:

As far as I can tell, with both the previous "route -n" post and this one, I *think* I have everything correct.
Yes, that looks fine.

Unfortunately, we are moving beyond my realm of expertise now into manual Iptable firewalls (I use a configuration tool for this). But it seems to me that there are only two possibilities. 1) That the firewall is blocking traffic to/from the internal server or 2) That the traffic isn't being routed at all for some reason.

Can I assume that the internal server can actually connect to the firewall? Just to rule out a bizarre network problem

Thanks
 
Old 05-23-2010, 11:07 AM   #14
Blue_Ice
Member
 
Registered: Jul 2006
Location: Belgium
Distribution: Debian, Fedora, CentOS, Windows
Posts: 352

Rep: Reputation: Disabled
Quote:
Originally Posted by johndubchak View Post
I'm not sure why it doesn't show up in the listings I provided earlier. I didn't have it on the internal server, but didn't think I needed to since the routing rules should take care of forwarding any public internet traffic out through the Gateway.
You need it, as your internal network has private ipaddresses. You need to translate the addresses. You can add the rules yourself in /etc/sysconfig/iptables and restart iptables. These rules are not needed on your internal server. What is important is the ipforwarding setting in sysctl.conf as mentioned in the other posts.
 
Old 05-23-2010, 03:04 PM   #15
johndubchak
LQ Newbie
 
Registered: May 2010
Posts: 7

Original Poster
Rep: Reputation: 0
Blue Ice,

Here is the output from executing iptables save, specifically the filters section, from the Gateway/external server:

Code:
*filter
:INPUT DROP [16:3486]
:FORWARD DROP [22:1719]
:OUTPUT DROP [0:0]
:DUMP - [0:0]
:SSH - [0:0]
:STATEFUL - [0:0]
:SYN-FLOOD - [0:0]
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j SYN-FLOOD 
-A INPUT -i eth0 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP 
-A INPUT -i eth0 -f -j LOG --log-prefix "IPT FRAGMENTS: " 
-A INPUT -i eth0 -f -j DROP 
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j SYN-FLOOD 
-A INPUT -i eth0 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP 
-A INPUT -i eth0 -f -j LOG --log-prefix "IPT FRAGMENTS: " 
-A INPUT -i eth0 -f -j DROP 
-A INPUT -i lo -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --sport 67 --dport 68 -j ACCEPT 
-A INPUT -i eth0 -p udp -m udp --sport 67 --dport 68 -j ACCEPT 
-A INPUT -s 0.0.0.0/255.0.0.0 -i eth0 -j DUMP 
-A INPUT -s 240.0.0.0/255.0.0.0 -i eth0 -j DUMP 
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 0 -j ACCEPT 
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 3 -j ACCEPT 
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 4 -j ACCEPT 
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT 
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 12 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j SSH 
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 113 -j ACCEPT 
-A INPUT -i eth0 -p udp -m udp --dport 113 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --sport 123 --dport 123 -j ACCEPT 
-A INPUT -i eth0 -p udp -m udp --sport 123 --dport 123 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 1024:65535 -j ACCEPT 
-A INPUT -i eth0 -p udp -m udp --dport 33434:65535 -j ACCEPT 
-A INPUT -j STATEFUL 
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -i eth1 -o eth0 -j ACCEPT 
-A FORWARD -j STATEFUL 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -s 192.168.0.0 -j ACCEPT 
-A OUTPUT -j STATEFUL 
-A DUMP -p icmp -m limit --limit 1/min -j LOG --log-prefix "IPT ICMPDUMP: " 
-A DUMP -p tcp -m limit --limit 1/min -j LOG --log-prefix "IPT TCPDUMP: " 
-A DUMP -p udp -m limit --limit 1/min -j LOG --log-prefix "IPT UDPDUMP: " 
-A DUMP -p tcp -j REJECT --reject-with tcp-reset 
-A SSH -i ! eth0 -j RETURN 
-A SSH -m recent --set --name SSH --rsource 
-A SSH -m recent ! --rcheck --seconds 60 --hitcount 3 --name SSH --rsource -j RETURN 
-A SSH -j DUMP 
-A STATEFUL -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A STATEFUL -i ! eth0 -m state --state NEW -j ACCEPT 
-A STATEFUL -j DUMP 
-A SYN-FLOOD -m limit --limit 1/sec --limit-burst 4 -j RETURN 
-A SYN-FLOOD -j DROP 
COMMIT
I may be wrong, but is it possible that I don't have a rule that allows anything to be accepted that originates as incoming on the private network through eth1?

Thanks,
John
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Access firewall public IP from internal NATed DMZ machine rsantos Linux - Networking 6 05-25-2010 12:40 PM
I want to setup a dial up with access to the internal network and internet depam Linux - Software 2 05-02-2006 08:21 AM
Poptop server cannot access internal network LJ151 Linux - Software 3 08-05-2004 08:55 AM
Unable to access my ssh server and ftp server from the Internet, but smtp works foxone Linux - Networking 1 05-28-2004 06:17 PM
RHL 9.0 Unable to access Win2k Home Network or internet josh.linux Linux - Networking 5 11-14-2003 01:05 PM


All times are GMT -5. The time now is 08:40 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration